Practice Advisory 2320-4: Continuous Assurance

Issued: June 2013 PA 2320-4: Continuous Assurance

© 2013 The Institute of Internal Auditors www.globaliia.org

Practice Advisory 2320-4:

Continuous Assurance

Primary Related Standards 2320: Analysis and Evaluation

Internal auditors must base conclusions and engagement results on appropriate analyses and evaluations.

1. The traditional testing of controls has been performed on a retrospective and cyclical basis, often months after business activities have occurred, and frequently relies on historical sampling techniques. Such sample-based audits may not meet the needs of an organization, especially when the risk profile of an organization may require more timely information. Because the pace of business and rate of organizational change require more proactive identification of issues, technology can be leveraged to identify potential problems and concerns more timely. Internal audit should

consider evaluating control effectiveness continuously, if warranted by the risk profile, rather than using more traditional periodic historic testing of selected internal controls and risks in an organization.

2. The IPPF Glossary defines assurance services as “an objective examination of evidence for the purpose of providing an independent assessment on governance, risk management, and control processes for the organization.” Continuous

assurance can best be achieved through a combination of management’s continuous monitoring responsibilities and internal audit’s continuous auditing activities.

3. Continuous monitoring is a management process that monitors whether internal controls are operating effectively on an ongoing basis. Higher risk events (e.g., unusual or nonrecurring transactions) can be observed and flagged for additional attention or testing. In addition to continuous monitoring processes, continuous auditing routines developed by internal auditors, when appropriate, may be transitioned to management, in which case they become continuous monitoring procedures performed by management.

4. Many of the techniques management uses to continuously monitor controls are similar to continuous auditing techniques that may be performed by the internal auditor. The key to continuous monitoring is that the process should be owned and performed by management as part of its responsibility to implement and maintain an effective control environment. Because management is responsible for internal controls, it should have a means to determine, on an ongoing basis, whether the controls are operating as designed. By being able to identify and correct control problems timely, the overall control system can be improved.

5. The annual audit plan should identify areas potentially subject to continuous auditing.

Internal audit should leverage the organization’s risk management framework (if one has been developed) as well as its own risk assessment, to identify these areas. The

Issued: June 2013 PA 2320-4: Continuous Assurance

© 2013 The Institute of Internal Auditors www.globaliia.org

frequency of coverage should be based on the risk factors in an area or business process. Continuous auditing helps internal auditors identify and assess risk and establish intelligent and dynamic thresholds that respond to changes in the enterprise. It also contributes to risk identification and assessment.

6. Successful implementation of continuous auditing requires the support of key stakeholders. The following steps should be considered when developing and sustaining continuous auditing activities:

· Prioritize areas for coverage and select a continuous auditing approach.

· Define output requirements.

· Select analysis tools, which could be either in-house or vendor-provided software.

· Determine scope of continuous auditing routines.

· Assess data integrity and prepare data.

· Understand management’s continuous monitoring approach.

· Develop continuous audit routines to assess controls and identify deficiencies.

7. Once the objectives of continuous auditing have been defined, senior management support should be obtained for the continuous auditing coverage.

8. Data files, such as detailed transaction files, often are only retained for a short time.

Therefore, the internal auditor should make arrangements for retaining appropriate data. Access to programs/system and data should be arranged well in advance of the needed time period to avoid interference with the production environment. The internal auditor should assess the effect that changes to the production

programs/system, including access security, may have on the use of continuous auditing routines. The internal auditor should obtain reasonable assurance of the integrity, reliability, usefulness, and security of the continuous auditing routines through appropriate planning, design, testing, processing, and review of documentation.

9. The internal auditor should examine the adequacy of management’s continuous monitoring activities. This will determine how much reliance internal audit can place on the organization’s control environment which will impact the nature and frequency of the audit work to be performed.

10. The internal auditor should consider the objectives of continuous auditing, the risk appetite of the enterprise, and the level and nature of management’s continuous monitoring, when setting the timing, scope, and coverage of continuous auditing tests.

11. The frequency of continuous auditing activities will range from real-time to periodic analysis of detailed transactions, snapshots, or summarized data. The frequency will depend on the level of risks associated with the system or process being examined as well as the adequacy of continuous monitoring performed by management and the resources available. Critical systems with key controls may be subject to real- time analysis of transactional data. The internal auditor should consider the

regulatory requirements and the degree to which management is addressing the risk

Issued: June 2013 PA 2320-4: Continuous Assurance

© 2013 The Institute of Internal Auditors www.globaliia.org

exposures and potential impacts. When management has implemented continuous monitoring systems for controls, internal and external auditors should determine to what extent they can rely on the continuous monitoring processes to reduce detailed control testing.

12. When continuous auditing routines are changed, the internal auditor should conduct a review of the changes for integrity, reliability, usefulness, and security. The internal auditor should document the results of this review prior to placing reliance on the revised continuous auditing routines.

13. Once the continuous auditing routines have been executed, the internal auditor should review the results to identify transactions that fail the control tests. Increased risk levels can be identified by comparative analysis (i.e., comparing one process to other processes, one entity to other entities, or running the same tests and

comparing results over time). One of the challenges of implementing a continuous auditing or monitoring system is the efficient response to control exceptions and risks that are identified. When a continuous auditing or monitoring system is implemented, it is common for a large number of exceptions to be identified that, upon investigation, prove not to be a concern. The continuous auditing system needs to allow the test parameters to be adjusted so that such exceptions do not result in alerts or

notifications. Once the process of identifying such false positives is performed, the system increasingly can be relied on to only identify control deficiencies or risks of significant concern.

14. If a control breakdown and/or risk concern is identified through continuous auditing, it should be reported to management. Resultantly, the internal auditor should request a management response outlining the action plan and date, as applicable. Once the appropriate action has been taken, the internal auditor may consider using the continuous auditing program again to verify that the remediation addressed the control weakness and reduced the level of risk.

15. The internal auditor should review the efficiency and effectiveness of the continuous auditing programs periodically. Additional control points or risk exposures may need to be added and others may be deleted based on more current risk assessments.

Thresholds, control tests, and parameters for various analytics may need to be tightened or relaxed.

16. The continuous auditing process should be documented sufficiently to provide adequate audit evidence. Refer to Practice Advisory 2330-1: Documenting Information for additional guidance.

Issued: June 2013